Man Linux: Main Page and Category List

NAME

       softhsm-keyconv - converting between BIND and PKCS#8 key file formats

SYNOPSIS

       softhsm-keyconv --topkcs8 --in path --out path [--pin PIN]
       softhsm-keyconv --tobind --in path [--pin PIN] \
              --name name [--ttl ttl --ksk] --algorithm algorithm

DESCRIPTION

       softhsm-keyconv  can  convert  between  BIND .private-key files and the
       PKCS#8 file format.  This is so that you can  import  the  PKCS#8  file
       into  libsofthsm  using  the command softhsm.  If you have another file
       format, then openssl probably can help  you  to  convert  it  into  the
       PKCS#8 file format.

       The  following  files  will  be  created  when  converting to BIND file
       format:

       Kname+alg_id+key_tag.key
              Public key in RR format

       Kname+alg_id+key_tag.private
              Private key in BIND key format

       The three parts of the file name means the following:

              name   The owner name given by the --name argument.

              alg_id A numeric representation of the --algorithm argument.

              key_tag
                     Is a checksum of the DNSKEY RDATA.

OPTIONS

       --topkcs8
              Convert from BIND .private-key format to PKCS#8.
              Use with --in, --out, and --pin.

       --tobind
              Convert from PKCS#8 to BIND .private-key format.
              Use with --in, --pin, --name, --ttl, --ksk, and --algorithm.

       --algorithm algorithm
              Specifies which DNSSEC algorithm to use when converting to  BIND
              format.  The supported algorithms are:
                     RSAMD5
                     DSA
                     RSASHA1
                     RSASHA1-NSEC3-SHA1
                     DSA-NSEC3-SHA1
                     RSASHA256
                     RSASHA512

       --help, -h
              Shows the help screen.

       --in path
              The path to the input file.

       --ksk  This will set the flag field to 257 instead of 256 in the DNSKEY
              RR in the .key file.  Indicating that the key is a  Key  Signing
              Key.  Can be used when converting to BIND format.

       --name name
              The  owner  name  to use in the BIND file name and in the DNSKEY
              RR.  Do not forget the trailing dot, e.g. "example.com."

       --out path
              The path to the output file.

       --pin PIN
              The PIN will be used to  encrypt  or  decrypt  the  PKCS#8  file
              depending  if we are converting to or from PKCS#8.  If not given
              then the PKCS#8 file is assumed to be unencrypted.

       --ttl TTL
              The TTL to use for the DNSKEY RR.  Optional, this  will  default
              to 3600 seconds.

       --version, -v
              Show the version info.

EXAMPLES

       To  convert  a  BIND  .private-key file to a PKCS#8 file, the following
       command can be used:

              softhsm-keyconv --in Kexample.com.+007+05474.private \
                     --out rsa.pem

       To convert a PKCS#8 file to BIND key files, the following  command  can
       be used:

              softhsm-keyconv --in rsa.pem --name example.com. \
                     --ksk --algorithm RSASHA1-NSEC3-SHA1

AUTHOR

       Written by Rickard Bellgrim.

SEE ALSO

       softhsm(1),  softhsm.conf(5),  openssl(1),  named(1), dnssec-keygen(1),
       dnssec-signzone(1)